Preauthentication failures without requires_preauth
Darren Reed (Optimation)
darrenr at optimation.com.au
Tue Nov 19 02:50:01 EST 2002
If a client sends a TGT request with invalud preauthenticated
data, will a valid TGS response be sent back if requires_preauth
is not sent for the principal concerned (ie. the password used
to create the preauthenticated data is incorrect) ?
Following on from this, is there an "easy" way to set this flag
(requires_preauth) on all entries in the kdc ? Can I dump the
database out, set requires_preauth in kdc.conf, nuke the kdc
db, recreate it and load with kdb5_util, resulting in the flag now
being set on all principals ? I know I can write a script to do
this, just looking at other alternatives.
More information about the krbdev